22.09.2008

Web Config Security

In Every blog you can find how to secure your web.cofig file. In this post i'll explain too.

Some years ago when we were young and coding in asp,vb and Com+ in a global bank
we had been writing connectionStrings to ENC files. ENC files are some kind of files that encypted with bank's hash keys and Bank has an global security API for reading it. Now tech. has been changed and Microsoft ofcourse made it easy for us. Now you can encrypt connectionStrings without thinking security. Just you have to type this commands to Command Prompt

c:\inetpub\wwwroot\WebConfigSecurity>aspnet_regiis -pef "connectionStrings" "C:\
Users\montoya\Documents\Visual Studio 2008\Projects\WebTest\WebConfigSecurity\We
bConfigSecurity" -prov "DataProtectionConfigurationProvider"
Encrypting configuration section...
Succeeded!

c:\inetpub\wwwroot\WebConfigSecurity>aspnet_regiis -pdf "connectionStrings" "C:\
Users\montoya\Documents\Visual Studio 2008\Projects\WebTest\WebConfigSecurity\We
bConfigSecurity"
Decrypting configuration section...
Succeeded!


-prov "DataProtectionConfigurationProvider" says that machine will use the DPAPI (Data Protection API) for encypting web.config file. Especially u've 2 chances the one is i mentioned before DPAPI and the other is RSA. RSA security configuration fits IIS Web Server farms and the configuration of this type is little bit tricky so i'll post later.


Protecting Web.Config file programatically


Hiç yorum yok: